AWS API calls indicating EKS privilege escalation in multiple clusters
Description
AlphaSOC detected possible AWS EKS privilege escalation attempts across multiple clusters. This activity involves unauthorized modifications to Kubernetes RBAC (Role-Based Access Control) policies, service accounts, or cluster roles to grant elevated access rights.
Impact
Successful privilege escalation in EKS clusters could allow threat actors to compromise multiple workloads, access sensitive application data, modify cluster configurations, or deploy malicious containers. This activity across multiple clusters suggests a coordinated attack that could impact the entire Kubernetes infrastructure and the applications it hosts.
Severity
| Severity | Condition |
|---|---|
Medium | AWS API calls indicating EKS privilege escalation in multiple clusters |
Investigation and Remediation
Immediately audit RBAC configurations across all affected EKS clusters. Examine AWS CloudTrail logs for suspicious API calls related to role bindings, cluster roles, or service account modifications. Identify the source of these changes and verify whether they were authorized. If unauthorized, revoke the elevated permissions, rotate affected service account tokens, and review all recently created or modified roles.